Hi Mukund, many thanks for your comment. Cheers.

Is there a reason why the td-agent wasn't containerized?

You made my day. Thanks for watching this video and the feedback you provided.

Good question about why td-agent wasn't containerized. It can be. But for some reason I decided to go with rpm installation. If you want you can use it as a container. docs.fluentd.org/v0.12/articles/install-by-docker Thanks, Venkat

Hi Rogin, thanks for watching this video. Was recorded a while ago. Did I mention anything about part 2? Thanks.

@@justmeandopensource You've mentioned it at 7:47. Would be great if you would do another video on the EFK Stack. You could also do an updated one.

Thanks for watching. Cheers.

Hi Lee, thanks for watching.

Thank you for watching. I will check graylog and see if I can have a play with it.

@@justmeandopensource eagerly waiting

I spent some time looking into this. There is no official helm chart available to deploy graylog in kubernetes. Although there is this from kong-z repository. github.com/KongZ/charts. I tried and it didn't work. There were lots of open issues with that chart and it isn't worth spending time looking into it. If I were you, what I would have done is, use mongodb chart from bitnami and elasticsearch chart from helm stable repo and for graylog I would create one myself. Official documentation for graylog has instructions on how to run it in docker. So there is a container image for graylog. You can create helm chart for graylog yourself. I don't think I will have time to look into this further I am afraid. I will give it a try later if time permits. Thank you.

Hi Gavriel, many thanks for watching. Cheers.

Hi, thanks for watching.

Hi, thanks for watching. I will see if I can do that. Cheers.

Haha. BTW Thanks for watching.

hi Bharat, thanks for watching. Logstash is log parser while fluentd is log shipper. You install fluentd on a client machine and fluentd takes care of collecting and sending the logs to either elasticsearch directly or to a logstash for parsing before being stored in elasticsearch. You can parse the logs and transform/filter in logstash and then forward to elasticsearch. Hope this makes sense. Cheers.

Hi Siva, Thanks for watching this video. I have done a video related to your request. Its about monitoring Kubernetes logs using EFK stack. Not sure if its going to be helpful but might give you some direction. You can check that out in the below video. kzbin.info/www/bejne/bp-6mWR9gclqpLs It sends all the logs to one index. I haven't tried configuring different indexes for different namespaces though. I think it is little bit involved. But the article in the below link attempts to do that by splitting logs for specific namespaces. See if that helps. blog.ptrk.io/tweaking-an-efk-stack-on-kubernetes/ Thanks.

Hi Jason, thanks for watching this video. Elasticsearch requires the below kernel setting to be present before starting the container. I believe I mentioned this in the video. Can you make sure you did this step before starting the container? $ sudo sysctl -w vm.max_map_count=262144 Sometimes when I forget to run this command, elasticsearch container exits similart to your case. So I believe this could be a possible reason. Thanks.

No problem at all. Glad that you got the solution. Was it any different to the one I suggested? I thought it would be helpful for other viewers. Cheers.

@@justmeandopensource Exactly the same, hehehe

@@AlexLDemise Cool.

Hi John, thanks for watching. It depends on how much of data you are going to process in your elasticsearch. Just a bare minimum installation of elasticsearch itself requires half a gig of ram. t2.micro comes with 1GB RAM. So you will be fine installing just elasticsearch on it. But if you want to install other components as well, the machine could struggle.

Hi Manohar, thanks for watching this video. I haven't dealt with a multiline log file yet. But I guess you would use logstash to parse and format it before sending it to the elasticsearch engine. When I searched online, I found this stackoverflow discussion which might give you some direction. stackoverflow.com/questions/42645366/filebeat-process-multilne-xml Thanks.

@@justmeandopensource Thanks Venkat. However, we are exploring with Fluentd plugins since we've chosen EFK stack. Currently, we are not able to get the XML parsed when its present in multiline. Tried using concat plugin and then we're unable to parse xml using available plugins.

@@MM-Mysore Have you checked the below link on how to use multiline parser plugin for fluentd? docs.fluentd.org/parser/multiline I haven't tried it myself but might give you some idea. Thanks.

Hi Uday, thanks for watching. Yes using td-agent is abolutely fine.

@@justmeandopensource Thanks Venkat for your reply, your explanation is crisp and clear. It would be more helpful if u can talk about elk best practices in upcoming postings.

@@udaymailforu Sure. At the moment, my focus has shifted to Kubernetes, GCP and AWS. I will do ad-hoc videos in this series whenever I get some time. Cheers.

Hi Naresh, thanks for watching this video. Fluentd can be used either as log forwarder or as log aggregator. Your set up is fine. You are using td-agent to forward the logs directly to elasticsearch. No problem with that. In the video, I forward logs to log aggregator which forwards it to elasticsearch. The use of aggregator in between will be useful in certain scenarios. An example would be high availability option. If you have 100s of clients forwarding through td-agent to elasticsearch and if you decide to change the elasticsearch url or port or any other aspect, you would have to update it on all 100s of clients. If you had used a log aggregator, you only need to update one machine or couple depending on HA setup. Hope this makes sense. Thanks, Venkat

@@justmeandopensource Got it, thanks. Looking forward to more videos from your channel. Cheers!

Hi Nguyen, thanks for watching. I am sure I have tried v7. Have a look at my docker compose files in the below github repo. github.com/justmeandopensource/elk/tree/master/docker

it works! tks Venkat

Cool. No worries.

Hi Kay, thanks for watching. I think you missed one important step without which elasticsearch container won't run properly. I am not sure whether I mentioned in this video. I have mentioned that on few of my elastisearch videos. Please make sure to run the below command on your host machine (assuming your host machine is Linux). $ sudo sysctl -w vm.max_map_count=262144 And then give it a try. Cheers.

@@justmeandopensource Venkat you are awesome!

@@Babbar_supreme_leader Thanks for watching.

HI Sainath, thanks for watching this video. I haven't used Amazon kinesis. There is another video I did which is basically FileBeat -> Logstash -> Elasticsearch -> Kibanana. Thanks, Venkat

Just me and Opensource thanks for the response! We recently switched from filebeat to fluentd

I have a question, I have a docker running inside an ec2 instance. I pulled fluentd artifactory and created a container but I could not able to see td-agent installed. Are td-agent.conf and fluent.conf are two separate configuration files? Please provide me your valuable response? Thanks!

Hi Najam, thanks for watching. I actually released a video today on how to deploy Elastic Cloud on Kubernetes. In this process, we are not using helm charts. We deploy Elastic operator which can manage our elasticsearch, kibana deployments in the cluster. This method of deploying elastic cluster comes with security and encryption by default. You can watch the first part of the video in the below link. kzbin.info/www/bejne/p5vRhWOmipV8iNE The second part where I will be explaining about filebeat configuration will be released next Monday. Cheers.

Hi Saravana, thanks for watching. There is this documentation that tells you how to do exactly that. docs.fluentd.org/installation/install-by-dmg Hopefully you will get it done. Cheers.

Hi Alex, I am kind of lost on what you are asking. In this video, I used td-agent on the client and it listens on a port. Any application on the client can forward the logs to this td-agent which inturn forwards it to the fluentd log aggregator and then to the elasticsearch. Haproxy is a load balancing solution. What is it you are trying to do with haproxy or where is it you are configuring? Thanks.

@@justmeandopensource I wanna send the haproxy logs to my fluentd

@@AlexLDemise Ahh now I got it. Let me see how that can be done and will let you know. Thanks.

@@justmeandopensource Ohh, thank you very very much :)

@@AlexLDemise You can follow two approaches to get haproxy logs to elasticsearch. 1. Follow the article www.fluentd.org/guides/recipes/haproxy-elasticsearch. Sending logs to td-agent directly 2. Configure haproxy to write logs through rsyslog and configure rsyslog to forward to td-agent. You can check this link www.haproxy.com/blog/introduction-to-haproxy-logging/ Thanks.

docker run --log-driver=fluentd --log-opt fluentd-address=192.168.0.42:24224 hello-world its working and i can see output in kibana. :)

@@najamawan Cool.

Hi, thanks for watching. I would advice you to try each of those you mentioned and decide yourself which suits your needs. There is no one best solution and I do not know full context of your environment.

@@justmeandopensource how about if my context is not too much CPU and Memory.

Anyway, I will try EFK first, just follow your video. Thank you so much.......

Hi Lee, The ip address of the fluentd server is configured in the td-agents config file clients-td-agent.conf. In the section under section, you specify the ip address of the fluentd server. Starting at 20:00 you can see me configuring td-agent. Cheers.

@@justmeandopensource ah I see now. But no Port was specified... I assume the port is conventional and td agent knows what port to default to..?

@@leegaines2391 yes. Thats right.

Hi Ashok, thanks for watching. I have gone with the default setting where log rotation is not enabled. The below documentation link might help you in right direction. docs.fluentd.org/deployment/logging#log-rotation-setting Cheers.

HI Praveen, thanks for watching. Thats absolutely possible. You just need to make sure to expose your elastic search endpoint outside the cluster.

@@justmeandopensource Hi Venkat, thanks for your response. Which one would be better? filebeat, td-agent or winlogbeat? Which service should use to expose elastic search (nodeport or load balancer)?

@@praveenkorvi2227 Exposing a service through load balancer is the standard practise. What is it exactly you want to collect (metrics/logs or anything else). Each tool is designed for a specific purpose. Cheers.

@@justmeandopensource .NET Application logs from Windows server. Thats it

@@praveenkorvi2227 Don't have much experience with .NET but i would guess winlogbeat would be better in your case. Cheers.

Hi Nilesh, thanks for watching. I used LXC containers to launch a machine. You can use a CentOS7 Virtual Machines for this.

@@justmeandopensource can u suggest give me cmd for that

@@nileshyadav9764 You just need to launch a virtual machine using VirtualBox.

Hi Sha, thanks for watching. Please check the logs of Kibana container which might give you some clue about the failure.

@@justmeandopensource if i knew what is going on in the logs, definitely i would have not taken your time

@@shafigh6916 It would be helpful if you could share the elasticsearch and kibana logs

Hi Amir, I keep switching OS and desktop environment. I will never be satisfied and contended with one. And this one was my setup a very long time ago and not using this at the moment. I am currently on Archlinux running I3 tiling window manager :)

Hi Surendra, thanks for watching. Its the conky process. Unfortunately I don't have the conky config file anymore. You should be able to get a basic conkyrc file in the internet and customize it to your needs.

@@justmeandopensource ok thanks and please make videos on docker+ansible related and elastalert+elk give a try !!

Sure will do.

@@justmeandopensource Thanks will be waiting for those !!

Hi, you don't want to install td agent inside all the containers. Instead you can run it as a daemonset in your cluster that will pull container logs from all the pods. I am planning to do a video on that at some point. Cheers.

@@justmeandopensource thanks bro.. please put video for docker containers also... my environment running on docker..

no worries.

@@muthukumarramu3149 How did you do it? I too have docker container env and want to send application logs inside docker container to fluentd. Pl guide

@@ulkaasati8509 two ways can be done.. One is graylog and other one EFK. In EFK all container network should be same. Then only you can get the logs.. for application logs.. developers needs to write the code and logs stored in volumes.

Hi, thanks for watching and pointing out this info. Will be helpful to others as well. Cheers.

@@justmeandopensource Thank you for the video my good Sir! Glad I could help :)

Hi, thanks for watching. I am not into Azure yet.

Thanks for watching. I will add it to my list. Cheers.

@@justmeandopensource when can we expect 😉😉

@@surisurendrababu Can you explain what exactly you want?

@@justmeandopensource I want to install Metric and audit beat in my employees laptop and through that i want to check the logs

Hi Najam, thanks for watching. It might be a transient issue. I checked the url rubygems.org/specs.4.8.gz and I could download the tar file. So it could just be a temporary issue when you tried. Please try it again. Cheers.

@@justmeandopensource yeah i can open in browser and in cli using wget. but when using docker compose up. it throws error. can you try docker compose up and see .

@@najamawan Its working fine for me. pastebin.com/h5fpfDUn

@@justmeandopensource i m using opensuse tumbleweed i disable firewall restarted issued docker-compose up and everything works. cant believe wasted 2 days for this. thanks for your response and your test. i was not hoping you would reply but you did and thats awesome :)

@@justmeandopensource elasticsearch | [1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]